SaltStack Windows Playbooks

  • Hello,

    I wanted to start topic that hopefully will be always updated and kinda pinned, listing all the guides and neat stuff we can do with saltstack, I use it to manage Windows clients mostly, so for me this will be like Active Directory replacement show case.

    Want to hear your feedback and correct me if you see room for improvements, and share ideas as well.

    This will not cover setting up Salt, just the techniques which I call playbooks (I know taken from Ansible).

  • @msff-amman-Itofficer

    Sophos Virus Removal Tool:

    Upload sohpos folder to salt master and send to clients
    salt '*' cp.get_dir salt://sophos/ c:/salt
    Run sophos silently and delete the temp files prior:
    salt '*' 'del /q/f/s %TEMP%\*'
    salt '*' '"c:/salt/sophos/SVRTcli.exe" -yes -reboot'

    To view the log file, you can read this file:
    salt '*' 'type "C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log"'

    To clean the log file:
    salt '*' 'del /q/f/s "C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\*"'

    Other Command line options:
    -debug Display extra logging information.
    -help Display this text help.
    -noupdate Don't download updates when the tool starts.
    -preview Don't do disinfection/cleanup.
    -reboot Reboot automatically if required for cleanup.
    -reset Remove any pending cleanup on reboot operations.
    -uninstall Uninstall after scan and cleanup is complete.
    -yes Don't ask for confirmation before cleanup.

    You can create state file and schedule it in cron as well:

    Create sophos.sls in /srv/salt with:

        - source: salt://sophos
        - name: 'c:\salt\sophos'
        - makedirs: True
        - name: 'c:\salt\sophos\state.cmd'

    Then schedule the below command in crontab (VISUAL=nano crontab -e) to run every 2 hours:
    0 */2 * * * salt '*' state.apply sophos

    And in the state.cmd file put your command.

  • Windows Local Group Policy:

    controlling Updates + screenwallpaper

    Create lgpo.sls in /srv/salt with:

    Company Local Group Policy:
            - computer_policy:
                Configure Automatic Updates:
                    Configure automatic updating: 4 - Auto download and schedule the install
                    Scheduled install day: 5 - Every Thursday
                    Scheduled install time: "16:00"
            - user_policy:
                Do not process the legacy run list: Enabled
                Desktop Wallpaper:
                    Wallpaper Name: C:\salt\wallpaper.jpg 
                    WallpaperStyle: Fill
    Run myscript:
        - name: gpupdate.exe /force

    Then schedule the below command to run “every 30 mins.”
    */30 * * * * salt '*' state.apply lgpo

    This location: C:\Windows\PolicyDefinitions
    has the adm files that you can view for trouble-shooting.
    Windows 10 Configure Automatic Updates differs from Windows 7, so if you have environment with both Win7 and Win 10 your screwed, you need to create different setting for both some times, for example this update setting will work on Windows 7 but Windows 10 will report error missing value you need to add and I forgot what it is, and if you add it, Windows 7 machines wont work.

    Sometimes the response will be invalid, however the policy will work, to verify use one of the below:

    	salt '*' lgpo.get user											# By default shows only configured policies
    	salt '*' lgpo.get machine
    	salt '*' lgpo.get machine return_not_configured=True
    	salt '*' lgpo.get_policy_info 'Maximum password age' machine
    	salt '*' lgpo.get_policy_info 'Desktop Wallpaper' user

  • @msff-amman-Itofficer


    Download ccleaner portable and check items you want to clear on clients, then Upload ccleaner folder to salt master and send to clients:
    salt '*' cp.get_dir salt://ccleaner/ c:/salt

    Run ccleaner silently as well as delete the temp files and recycle bin prior:

    salt '*' 'del /q/f/s %TEMP%\*'
    salt '*' 'rd /s /q %systemdrive%\$Recycle.bin'
    salt '*' '"c:/salt/ccleaner/CCleaner.exe" /AUTO'

  • Add some tags to the OP.
    Will make it easier to find in the future.

  • @Dashrender said in SaltStack Windows Playbooks:

    Add some tags to the OP.
    Will make it easier to find in the future.


  • SaltStack control power settings for Windows machines, you can control via the below commands, you need to create state file with the below:

            - value: 30
            - power: ac
            - value: 30
            - power: ac
            - value: 0
            - power: ac
            - value: 0
            - power: ac

    You can also get those information, and not apply rules by replacing set with get, for example: get_disk_timeout

    Then schedule the below command in crontab (VISUAL=nano crontab -e) to run
    */30 * * * * salt '*' state.apply power_ac
    */30 * * * * salt '*' state.apply power_dc

    It is good to apply this prior to windows update, or virus scan command.

  • @msff-amman-Itofficer

    Fix Windows Time :

    Get list of configured NTP servers
    salt '*' ntp.get_servers

    Set Windows to use a list of NTP servers
    salt '*' ntp.set_servers ''

    salt '*' system.get_system_date
    salt '*' system.get_system_time

    Make sure the Windows Time Service is running and set to automatic startup.
    salt '*' system.start_time_service
    salt '*' system.stop_time_service

    After setting ntp, ensure Timezone is correct as well:

    	salt '*' timezone.set_zone 'Asia/Amman'
    	salt '*' system.set_system_date '03-28-13'
    	salt '*' system.set_system_time "'14:16 +0300'" 						# (if set using NTP it wont work)
    	salt '*' system.set_system_time "'+0300'"								# (if set using NTP it wont work)

  • My Favorite Ultra-VNC setup:

    Not all issues can fixed from command line alas, thus this recipe:

        - source: salt://uvnc
        - name: 'c:\salt\uvnc'
        - makedirs: True
        - name: 'c:\salt\uvnc\state.cmd'
        - name: firewall.disable

    remeber to re-enable the firewall of the client when finished. (salt "client" firewall.enable)
    you will need to create uvnc folder (get it from UltraVNC portable builds) folder in your Salt master, in /srv/salt

    in it :

    • winvnc.exe

    • UltraVNC.ini

    • state.cmd

    • SecureVNCPlugin32.dsm (Optional Encryption plugin)

    • Server_ClientAuth.pubkey (Optional Encryption server SSL handshake check)

    And in the state.cmd put the following:

    taskkill /f /im winvnc.exe
    sc stop uvnc_service
    sc delete uvnc_service
    "c:\salt\uvnc\winvnc.exe" -install
    "c:\salt\uvnc\winvnc.exe" -startservice
    sc config uvnc_service start= demand
    ipconfig | findstr /i "ipv4"

    And whenever you want to connect to client, run this in salt master:
    salt '172' state.apply uvnc

    And you will see the IP of the client, you will need to match the IP and if you made any custom setting like port number/encryption plugin with vnc viewer and connect to client.